Further Reading

On Friday, Apple formally responded to the government’s demand that the company help unlock a seized iPhone in New York, which pre-dates the debacle that played out earlier this year in San Bernardino.

As Ars reported last month, federal prosecutors have asked a more senior judge, known as a district judge, to countermand a magistrate judge who earlier ruled in Apple’s favor, which is why Apple had to file now. In that ruling, US Magistrate Judge James Orenstein concluded that what the government was asking for went too far. In his ruling, he worried about a "virtually limitless expansion of the government's legal authority to surreptitiously intrude on personal privacy."

The case involves Jun Feng, a drug dealer who has already pleaded guilty, and his seized iPhone 5S running iOS 7. Prosecutors have said previously that the investigation was not over and that it still needed data from Feng's phone. As the government has reminded the court, Apple does have the ability to extract data from this phone. Moreover, as Department of Justice lawyers note, Apple has complied numerous times previously.

By contrast in San Bernardino, the government attempted to force Apple to write new software that would help the government brute force a seized iPhone that was used by dead terrorist Syed Rizwan Farook. Ultimately the government found an "outside source" who was able to get into the phone. It is unclear if anything useful to the investigation was contained on that phone. In both cases, however, the government sought the data under the authority of the All Writs Act, the obscure 18th-century law that allows courts to force people or companies to do things.

In this New York case, investigators have said they still need access to Feng’s phone for sentencing and for related cases. But Apple’s not buying it.

"The government has failed to show that it is has exhausted other potential repositories of the information it wants from Feng’s iPhone," Apple lawyer Theodore Boutrous wrote in the 55-page filing, which was very similar to the earlier filings in the San Bernardino case.

"The government says that it seeks to learn Feng’s customers and sources from the data on his iPhone, DE 30 at 8, but it has not shown, for example, whether it attempted to get this information by subpoenaing relevant records from Feng’s cell-phone service provider, or by obtaining a warrant under the [Stored Communications Act], 18 U.S.C. § 2703, for the contents of any accounts Feng owns, such as an Internet-based email service or a social-media service, or for text messages sent to and from his phone," he said. "Nor did the government seek an SCA order to obtain other potentially useful information from Apple. These records or others may obviate the purported need for Apple’s assistance to bypass Feng’s passcode."

Since 2014, Apple has taken a two-pronged approach when it comes to resisting government pressure. With iOS 8 and later versions of the software, the company has said that it can no longer access data stored locally on the phone. And, most notably in this case, even if it does have the ability to extract data, Apple is refusing to do so on legal grounds.

Share this story

Cyrus Farivar
Cyrus is a Senior Tech Policy Reporter at Ars Technica, and is also a radio producer and author. His latest book, Habeas Data, about the legal cases over the last 50 years that have had an outsized impact on surveillance and privacy law in America, is out now from Melville House. He is based in Oakland, California. Emailcyrus.farivar@arstechnica.com//Twitter@cfarivar

As the government has reminded the court, Apple does have the ability to unlock this phone.

Apple, like any company, has the ability to perform labor to meet an end, but the tools to do what they ask have not been built because Apple does not want to build them for themselves or anyone else. On what authority does any government derive a right to compel labor from its citizens? I thought the government worked for the citizenry, not the other way around.

As I said before: This judge did it right. He never challenged the AWA. He simply asked the FBI what were the limits on their request. They avoided answering that specific question. So he ordered the request dismissed as improper. He never said he would refuse a proper request. The fact that the FBI insist on a limitless request is proof they they are abusing the AWA.

Pretty funny when a private company does a better job of protecting the rights of Americans than do the persons who have sworn an oath that amounts to a requirement to do the same.

I bet they tell themselves they are the good guys so it's all right.

Short sighted thinking of mankind, never ceases to surprise me.

Edit: From the downvotes I can see why you thought I was talking about Apple, but I meant the Feds thinking they are the "good guys" not Apple. Although not a fan of Apple I am 100% with them on this (as I have also said in the past)

edit: I'm pretty sure they know what they are doing I guess what I meant is I'd like everybody to watch it and maybe people can have a better perspective of what the feds are asking.

I basically never quote a post to say "Yeah, this", but...yeah, this.

Laws are like requirements. A new requirement usually builds on an old requirement. It's not impossible--but it's much less likely, in my experience--that a new requirement will say, "yeah, blow this entire previous requirement away"...but it's much more likely that that new requirement will say "let's modify this functionality to accomplish something slightly different". Like a precedent that is used to force the decryption of one phone being used to force the decryption of an arbitrary number of phones.

Pretty funny when a private company does a better job of protecting the rights of Americans than do the persons who have sworn an oath that amounts to a requirement to do the same.

Uh, unless a 3rd party cracks it. Also note that Apple hands out your iCloud data upon a warrant.

Personally, I have my doubt about any device being secure if the key is present on the device and you have physical access. All Apple has achieved is to make this difficult, but not impossible. A nation state can pay plenty for a zero day.

Pretty funny when a private company does a better job of protecting the rights of Americans than do the persons who have sworn an oath that amounts to a requirement to do the same.

Because Apple is totally doing that. Protecting your right to privacy. Like any big tech company. Just ask Google. Ask Microsoft! Even Facebook.

Do you think they're could be more protecting contracts with Chinese manufacturers than they are protecting your privacy?

No corporation anywhere ever does anything that earns it less money in the long run - unless the people at the top want the shareholders to behead them.

Pointless cynicism.

Of course companies want to make money, but unlike many others in the IT sphere, privacy of customer data is important to Apple because they don't sell it. On the contrary, the way the place their customers first is a selling point for them.

As for protecting contracts with manufacturers, it's hard to think why they'd favour the supply chain over the customers. One brings in revenue, the other cannot.

I'll say the same thing that I've been saying since the beginning of the San Bernardino case:

The government has no right (despite what the courts may or may not say; I'm speaking ideally, not as things stand or may stand) to demand that a private citizen or corporation (and according to the SC, I guess they are the same thing now) do its work for them.

I really don't understand why this isn't painfully obvious to everyone. The government should no more be able to require Apple to build software for government purposes than it should be able to require me to chop the wood in my garage or fix a pothole in the street.

And no, I don't care what those purposes are. Sure, they can ask me (or Apple) nicely. But if I (or Apple) declines that's the end of it. Or it should be.

Was NOT the "fix" the FBI used on the SB iPhone 5c "hack" for all THESE kind of case(s)?I guess the FBI does NOT want to share with other agencies?Still trying to force Apple to "break" it's own device(s), why?EFF & ACLU need our support in these dire times for privacy!

As the government has reminded the court, Apple does have the ability to unlock this phone. Moreover, as Department of Justice lawyers note, Apple has complied numerous times previously.

Apple does not have the ability to unlock iPhones and Apple has never unlocked iOS devices for the government.

But your short sentence is equally inaccurate by omission. The actual language used is:

Quote:

...bypass the passcode security on an Apple device

Which Apple can and has done to retrieve some data on devices running older iOS versions.

Again, there is a huge difference between getting access to data only encrypted by the UID (which was possible in iOS 7) and getting access to data encrypted with the UID and passcode (which has never been a service Apple offered)

Unlocking the device gives you access to everything, including data encrypted with the passcode. Anything else is not "unlocking".

edit: I'm pretty sure they know what they are doing I guess what I meant is I'd like everybody to watch it and maybe people can have a better perspective of what the feds are asking.

It's an excellent video and I particularly like the effectiveness with which it mentions the fact you cannot ban an idea, when encryption is already a reality. You just have to live with it.

But I must caution on something here. An idea that we must keep in mind during the whole discussion: The feds can and should ask companies to help them break a phone. And companies must comply within the limits and guarantees of the law. It is important for any type of law enforcement or security agencies to have legal mechanisms that allow them to fight crime, when we consider said crime, or proof of it, may be hidden behind a digital wall.

The real danger here is not the feds asking this type of stuff. They should. The real danger here is what laws politicians are willing to pass, and societies willing to accept, that ensure the privacy of its citizens by being formulated in a levelled way. Like I said on the previous paragraph companies should (must) comply to law enforcement and security agencies within the limits and guarantees of the law. And it is that law that we western countries are currently lacking and that should be a top priority of any government. The proposals so far are absurd and tremendously unbalanced against citizens and their right to privacy. It seems our politicians are incapable of coming up with any manner of common sense. The temptation for government overreach, in particular by some parties, seems to be too tempting for them, to the point of clouding their judgement and making them virtually ignorant in terms of digital security.

Both in this case (which is technologically distinct) and in the San Bernardino case, we could conceive a sane and safe legal environment in which companies could be asked to help law enforcement agencies or security agencies to crack the phones contents. The manner however should be completely under the company control. They would just hand over the unlocked device, not the technique or any software capable of replicating this action. And they would doing this under a clear and citizen-friendly legal background of warrants that respected the gravity of the crime under investigation.

Anything less than that, we must not accept as free citizens. Anything more than that, and we risk a society were criminals can roam more freely than before.

Pretty funny when a private company does a better job of protecting the rights of Americans than do the persons who have sworn an oath that amounts to a requirement to do the same.

Uh, unless a 3rd party cracks it. Also note that Apple hands out your iCloud data upon a warrant.

Personally, I have my doubt about any device being secure if the key is present on the device and you have physical access. All Apple has achieved is to make this difficult, but not impossible. A nation state can pay plenty for a zero day.

The key isn't present on the device, only a key is built into the device hardware and that key is necessary but not sufficient - you also need the password to generate the key.